search

void-linux / void-linux.github.io

Void Linux website
https://voidlinux.org
63 stars 46 forks source link

luks tutorial is horrible to follow and doesn't work #76

Closed Tcll closed 4 years ago

Tcll commented 4 years ago

following the installation procedure from the tutorial page resulted in a grub minimal console error after entering the password.

I was able to modify things to where I'd run void-installer first before running xbps-install ... lvm2 cryptsetup but while that was able to successfully install grub, dracut failed to find /dev/voidvm/root on boot dracut Warning: /dev/mapper/voidvm-root does not exist

currently I have a set of shell scripts to be run that initializes things following the tutorial in steps (each step requiring user input)

# ./1.sh:

cfdisk
# create partition table, be sure to make it bootable

# ./2.sh:

cryptsetup luksFormat --type luks1 /dev/sda1
# enter passphrase

# ./3.sh:

cryptsetup luksOpen /dev/sda1 voidvm
# enter passphrase

# ./4.sh:

vgcreate voidvm /dev/mapper/voidvm
lvcreate --name root -l 100%FREE voidvm
mkfs.ext4 -L root /dev/voidvm/root
void-installer
# complete setup

# ./5.sh:

mount /dev/voidvm/root /mnt
for dir in dev proc sys run; do mount --rbind /$dir /mnt/$dir; done
xbps-install -Sy -R http://alpha.de.repo.voidlinux.org/current -r /mnt lvm2 cryptsetup
# wait for installation to finish

# ./6.sh:

chroot /mnt

everything below should be temporarily copied to /mnt:

# ./7.sh:

cat >> /etc/default/grub <<END
GRUB_ENABLE_CRYPTODISK=y
END
echo lsblk -f
# copy luks UUID

modify: # ./8.sh:

# replace PASTE with the UUID you copied:
sed -i '/GRUB_CMDLINE_LINUX_DEFAULT=/s/"$/ rd.auto=1 cryptdevice=UUID=PASTE:lvm&/' /etc/default/grub

dd bs=512 count=4 if=/dev/urandom of=/boot/volume.key
cryptsetup luksAddKey /dev/sda1 /boot/volume.key
# enter passphrase

# ./9.sh:

chmod 000 /boot/volume.key
chmod -R g-rwx,o-rwx /boot

cat >> /etc/crypttab <<END
voidvm   /dev/sda1   /boot/volume.key   luks
END

cat >> /etc/dracut.conf.d/10-crypt.conf <<END
install_items+=" /boot/volume.key /etc/crypttab "
END

 grub-install /dev/sda

and reboot when you're ready

if this could be made more interactive, and the dracut issue actually fixed, it would really help out.

bobertlo commented 4 years ago

The wiki has been replaced by https://docs.voidlinux.org I'm not sure anyone would be interested in officially supporting a script, but documenting this there would be welcome I'm sure

Tcll commented 4 years ago

unfortunately void-installer doesn't seem to support disk encryption like something even as old as Xubuntu 16.04 does... which is an installer I actually used during my initial endeavors to set up my disk before installing Void (manually clearing the Xubuntu root directory before-hand)

honestly this tutorial doesn't even go as far as I'd like to, as I can only create 1 partition for both boot and root... where as what I'd normally do without encryption is something like what I'm doing on this machine: typical_HDD_setup or to put that more simply [ swap, boot, extended OS and optional data partitions, recovery OS ] (recovery to repair grub among other things without the annoyances of a live image)

I'm sure I could probably get something working if I can encrypt every partition and somehow have grub manage 2 keys for both itself and the OS partition... but I digress, I'm just a noob, I don't build linux distros because I don't have time nor interest the fact I was able to get grub to boot a broken Void install is an achievement in itself.

but the fact that this broken tutorial is all that can be found on the topic for encrypting a void installation is the issue I'm trying to address here.

additional concerns: why do I want to encrypt? well aside from other numerous reasons for such my particular reason is I'm trying to build a router, and don't want to give hackers the ability to simply modify the contents of the drive over WAN as for breaking into the running OS, that's another issue outside the scope of this issue.

Tcll commented 4 years ago

just wanted to update while I couldn't get the partition to mount in the Void live image (xfce) I was able to get the partition to mount on the Xubuntu 16.04 live image and am able to modify it's files...

so it looks like this might be an issue with Void's luks support?? maybe a missing package or something??

idk, I'm really not qualified to be working on this stuff I build/mod video games, not linux distros is there anything I can do to get this thing up and running?? honestly, I don't even care if it's just the 1 partition, as long as I can just boot Void off luks, I'll be happy...

it would really help back that agressive BSD security attitude as well ;) yes I know this is Linux, not BSD, but what's the point of claiming to be BSD-like without the attitude to back the claim?

Vaelatern commented 4 years ago

I think you could be missing a dracut module.

Tcll commented 4 years ago

oh that makes sense alright I'll look into that, thanks :)

Vaelatern commented 4 years ago

It would be nice to have a good luks guide on the docs.

Tcll commented 4 years ago

ok so you could be onto something @Vaelatern looking in /usr/lib/dracut/ on the partition, I've only found 2 folders with "crypt", 1 with "lvm", nothing with "luks"... 90lvm/ and 91crypt-loop/ could be all I need though

though I want to mention, if gpg is known to be broken and insecure, why is 91crypt-gpg/ not only explicitely included when configured... that is, if all modules aren't just simply configured by default anyways... which if that's the case, maybe 91crypt-luks/ is a false expectation??

I'm just applying logic is all :P

EDIT: also on a side note could Void boot without dracut, or is dracut part of what makes Void secure?? Xubuntu doesn't seem to come with dracut, so I'm a bit confused by it... (was thinking I could just copy the module if dracut is a common bootstrapper or something)

EDIT2: according to this dracut is apparently an init program generation utility to make booting faster which the initial thought I get is someone knowledgeable with root access over the net could possibly abuse this to boot a persistent RAT

you would never know about it of course unless you knew how linux worked and took the time to look for it ... or of course found out someone shared or used something from the machine

that 2nd thing actually happened to me on Xubuntu apparently someone got access to an invite link from a program I never shared found out whoopsie was infected, sending out UDP traffic to some random IP (I took care of it of course and no longer have the issue, but I've been skeptical about what hackers can abuse)

if you want more insight, look up Pupy all you need is someone's IP to infect them with (or so I've been told anyways)

Tcll commented 4 years ago

ok so after reading up a bit on things I'm back booted into the dracut shell currently I can actually run # cryptsetup luksOpen /dev/sda1 voidvm just fine

so it's mounted, I just need to figure out how to link it to / and boot it I can't simply do # mount /dev/sda1 / because mount /: unknown filesystem type 'crypto_LUKS'.

but aside from that, everything SEEMS fine I SHOULD be able to boot this, but I just need to know how and then what to do to fix this once booted

Tcll commented 4 years ago

update GOT IT! according to this all I had to do at the dracut shell was run:

# lvm lvchange -a y voidvm/root
# exit

and now I'm at the void login prompt :)

I'll keep playing with things after installing xfce, lxdm, and such (I prefer to do a network source install because it wipes everything unwanted like pulseaudio and such) I'll edit after rebooting if I end up back at the dracut shell or it boots normally.

buuut at least this confirms my noobness was actually able to write a working installation from a broken tut :)

EDIT: well the first reboot took me back to the shell and so did the second after running $ dracut --force --regenerate-all apparently the lvm volume isn't mounting like it's supposed to, so I need to run this every time it boots:

# cryptsetup luksOpen /dev/sda1 voidvm
Enter passphrase for /dev/sda1:
# lvm lvchange -a y voidvm/root
# exit

at least lxdm works properly though and doesn't drop me to a tty like it used to :)

but yeah something's configured wrong in my installation procedure and I'm not sure what... should the sid section include the UUID of the root volume rather than the voidvm group?? or is that actually correct and something else is going on??

I literally have no idea what I'm doing :P

Vaelatern commented 4 years ago

Now your dracut shell has all the tools you need, you probably need a configuration change for lvm. I've only once worked with LVM, but it's possible you want a configuration file that informs lvm of its needs.

Tcll commented 4 years ago

@Vaelatern I don't think lvm is exactly the problem I think the problem has to do with the volume.key file not being used as it's supposed to be thus I have to luksOpen the volume (which is why dracut can't find it)

just to note I haven't actually changed anything from the OP the issue I had when starting this thread is the exact same issue I have now everything works, it just doesn't apply the key so something's wrong with the installation directions, and I think it has to do with the sed command: sed -i '/GRUB_CMDLINE_LINUX_DEFAULT=/s/"$/ rd.auto=1 cryptdevice=UUID=PASTE:lvm&/' /etc/default/grub

I said sip last time... woops :P

if not that line, then maybe this line isn't working in /etc/dracut.conf.d/10-crypt.conf? install_items+=" /boot/volume.key /etc/crypttab "

I don't want to risk screwing something up, which is why I'm asking for someone hopefully knowledgeable

the only thing I've changed from the wiki is the base installation procedure is passed to void-installer where I've only removed this stuff, since it's all passed onto the installer:

# chown root:root /
# chmod 755 /
# passwd root
# echo voidvm > /etc/hostname
# echo "LANG=en_US.UTF-8" > /etc/locale.conf
# echo "en_US.UTF-8 UTF-8" >> /etc/default/libc-locales
# xbps-reconfigure -f glibc-locales

everything else is pretty much unchanged, except for the for in 5.sh that no longer needs mkdir.

but yeah, something from the wiki is incorrect (aside from the grub minimal console error) that's causing dracut to not mount the volume...

Tcll commented 4 years ago

hahahaha, welp, here's something you guys are probably gonna get a kick out of if I had to take a rough guess, I'd assume that all of my problems are caused from using the DE repo.

after following both answers on here because I was having the invalid cert issue whenever running xbps-install

while I'm sure that just changing the date from Jan 1 2003 would've fixed the invalid cert issue (since that somehow got messed up despite installing from network)

I think the fact I ran an update -Suv from the US repo, which reconfigured dracut, fixed my issue.

now it asks for a password to mount the partition from initramfs, which is something I think the tut was supposed to solve, because I have to enter the password twice: once for grub once for initramfs

after that, Void starts normally

I also installed zfs and gparted before rebooting, but I don't think those really did anything here

so while this solves the problem, I don't think it solves the issue

would anyone be willing to test my scripts while replacing the DE repo with the US repo in 5.sh: xbps-install -Sy -R http://alpha.us.repo.voidlinux.org/current -r /mnt lvm2 cryptsetup

I don't really wanna go through the process again because it's quite cumbersome especially for the fact you can't run 7.sh through 9.sh after running chroot I don't think you can pack everything into 1 easy shell script unless you can wait for user input.

I'd like to just fix the 2x password entry if I can. >_>

Rant: (read below at your own risk, proceed with caution, I'm a bit triggered)

frankly it's rather disappointing some nobody like me had to come along and point out the void-installer doesn't support luks after all this time (7 years at least). :srs: (I'm not sure if the command has been around that long, but luks certainly has)

I also find it a bit disheartening the void-installer isn't a user-friendly GTK UI, but I can let that one slide... I understand this when running from the base (no DE) live image, but not for the others like xfce and such which are trivial to create a launcher for, just, no. why should "BSD-like" have to conform to pathetic elitism where EVERYTHING is done strictly from the terminal. come on guys, "BSD-like" should be BSD-like (functionality), not elitist-like (aesthetic) heck even BSD uses a cursor (well, FreeBSD anyways, not OpenBSD)

the fact that BSD mostly uses the terminal is the exception from otherwise not having much support. not the preference of the complacent elitist attitude being "unix is better than posix"

Arch and Gentoo already hold and boast the elitist crowns being bases you can build from, Void boasts BSD-like for no systemd (runit) and higher security, not aesthetics. (just cause I'm a game dev/hacker doesn't mean I don't know my stuff)

I understand Void is a half-dead (abandoned?) distro because the developer has been on hiatus for god knows how long (I'm in a similar boat with my main project because I'm having trouble figuring out anonymous IPC over non-standard pipes in python) but why should that hault the evolution of the distro if so many seem to share the passion of it.

I'm sorry if I offended anyone here I use (and love, if you can't tell) Void because it's touted to be the most secure linux distro especially for that BSD-like attitude behind it I'm disappointed to see it slowly rotting away like this :/

if I had the ability to drop my followers for the projects I'm working on, I would certainly take a crack at working on making security features like HIPS (Comodo AntiVirus for Windows), Tor (Tails), VLAN (BSD), Virtualization (Qubes), and heck maybe even my own network protocol (not TCP/IP based) native to Void heck, maybe even take a crack at forking Void

why just stop at being BSD-like when Void could be better than BSD heck VLAN is already something BSD holds over Linux as it's stupid easy to configure

but anyways, again, I'm sorry if my rant offends anyone it just seems like nobody really wants to put any effort into making Void a decent distro... yes it's gotten better over the years, but how much is there that's still left broken or insecure that's hardly being worked on? I'm just left shouting from the sidelines because I got my own stuff to work on, and can't put any effort towards this distro I share a huge passion for. -.-

I really hope things pick up in the near future

Vaelatern commented 4 years ago

I understand Void is a half-dead (abandoned?) distro because the developer has been on hiatus for god knows how long

Please do not have this attitude. There is no truth behind any of this.

Void is alive, the core team that keeps it that way is also alive.

Do you have issues beyond the poor documentation on the outdated wiki? We do not control the content of the wiki, and no longer recommend it.

Vaelatern commented 4 years ago

By the way, feel free to install gpm to get mouse usage at your console :)

Tcll commented 4 years ago

oh neat at the mouse usage (or terminal cursor) bit I always thought curses was the only thing that could interact with the terminal thanks for that :)

but that wasn't exactly my point... I'm thinking of everyone else I've helped install Void, they're just noobs (yes I'm actually doing a lot behind the scenes to help keep Void alive) ^ I've had to switch a few to Mint or Manjaro because just about everything works where it's otherwise a hassle, but they want to try to install Void later on for it's superior security.

also that bit about being half-dead yeah I don't mean to insult the core team, you guys do an amazing job for what IS done ;)

but for an example of one thing that's left out is 64bit Wine support... I'm not sure if that's been updated though as this was with the 2018 11 11 release I still have the ISO for another thing is Blender 2.8 runs at 0.5FPS because some library is broken... but that's also knowledge as of the 2018 11 11 release and could be fixed in the update (take the link with a grain of salt because I press the blender devs to include the library rather than you guys fixing it) ^ although it IS a "portable" application, so these things should probably be included regardless.

point be made, there's a lot of issues that arise from Void's lack of support (I understand you guys can only do so much, and don't want to push too hard) if there was an actual forum (not a reddit thread), I would've addressed a ton of these issues a long time ago. (a self-hosted forum would also stand behind the BSD attitude)

yeah Void is NOT dead like many claim, there's just a ton that's not up to spec, which is why I say half-dead ;) with that said though, that's where the lack of effort comes in... it just seems like it's on life support...

I really don't want see this distro fall, because there's no other distro I know of that puts this much effort towards actual security (Tails is kinda a joke). unlike most everyone else I see with the same attitude as systemd "well I haven't been hacked yet, so that must mean it's secure" (ignoring all of the issues with it) that's why I'm upset

everyone seems to think of security as keeping a local family member out of your PC nobody addresses keeping everyone else over the internet out of your PC, which is just as important. (backed up by the fact Linux doesn't have HIPS as of yet, not even CAVL provides it, and something like snort only Detects intrusion)

but anyways, thank you for bearing with me on everything. I really hope things pick up where they need to :)

getting back on topic though I haven't had any issues with either the docs or Void I haven't fixed or worked around so far but all the issues I've had have mostly been 3rd party... for example octoxbps can't install anything as gksudo doesn't work so I just work around that by searching for packages, and then running xbps-install manually. or for another example, I need to close the drive tab/window in nemo, or the entire program exits when I unmount a drive.

before I really report anything though, I need to test everything on the update as I'm still running 2018 11 11 on my primary machine... (once I can get my DIY multi-purpose router going (the encrypted machine), I'll be able to work on updating my primary and also this machine I'm typing from)

Tcll commented 4 years ago

@the-maldridge why was this closed? the recent addition is still horrible to follow and doesn't initialize the void installer like 4.sh above does it seems it was just copied from the initial tutorial that was already horrible to follow (as it wasn't meant to be followed by users) (I'm not sure if whatever caused the tutorial to not work has been fixed, but it could at least be made easier to follow)

unless the void installer finally takes care of luks encryption without the need to run cryptsetup or any of that garbage, which would be a valid reason for closing this issue :/

EDIT: if no response or action is made 1 week from now, I'll be creating a new issue in reference to this. I've just checked the downloads, and the current release is still 20191109, which the installer still doesn't support luks so the status of this issue is still unresolved and should not be closed.

ignoring the issue does not resolve the problem ;)